![]() Source: C:\Users\u ser\AppDat a\Local\An tiRecuvaAn dDB.exeĬode function: 11_2_00A55 C35 FindFi rstFileW,F indNextFil eW,FindClo se, Source: C:\Users\u ser\Deskto p\AntiRecu vaAndDB.ex eĬode function: 2_2_01255C 35 FindFir stFileW,Fi ndNextFile W,FindClos e, (collection): Data: Comm and: bcded it /set \TreatAsĬontains functionality to enumerate / list files inside a directory exe, NewP rocessName : C:\Windo ws\System3 2\wbem\WMI C.exe, Ori ginalFileN ame: C:\Wi ndows\Syst em32\wbem\ WMIC.exe, ParentComm andLine: C :\Windows\ system32\c md.exe, Pa rentImage: C:\Window s\System32 \cmd.exe, ParentProc essId: 560 0, Process CommandLin e: wmic sh adowcopy d elete, Pro cessId: 60 16Īuthor: Florian Roth (rule), Tom U. Sigma detected: Delete shadow copy via WMICĪuthor: Joe Security: Data: Comm and: wmic shadowcopy delete, C ommandLine : wmic sha dowcopy de lete, Comm andLine|ba se64offset |contains: h, Image: C:\Window s\System32 \wbem\WMIC.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
June 2023
Categories |